Privacy Policy
Folder Suggest ("we", "our", "the add-in") is an Outlook add-in developed and operated by an individual developer. It uses on-device AI to suggest the best Outlook folder for each email you read. This policy explains what data we access, how it is used, and your rights as a user.
1. Who We Are
Folder Suggest is an independent add-in developed by a solo developer. It is not affiliated with Microsoft Corporation. For any privacy-related enquiries, contact us at hello@foldersuggest.com.
2. Data We Access
To provide folder suggestions, the add-in accesses the following data from your Microsoft 365 account via the Microsoft Graph API, solely on your device:
- The subject line, sender address, and a portion of the body (up to 1,000 characters) of the currently selected email — used locally to generate a folder suggestion
- The names and IDs of your mail folders
- Subject lines and sender addresses of recent emails in your folders (used to compute local similarity scores)
This data is processed in real time on your device to generate suggestions. None of it is transmitted to our servers, and the currently selected email's data is not retained after the add-in session ends.
In addition, we collect your Microsoft account email address for the following purposes:
- To measure whether anyone is actively using the add-in (usage analytics)
- To maintain a record of users who were using the add-in before it was commercially launched, so they can be identified and offered a free plan tier at our discretion
3. How Data Is Processed
All AI processing happens entirely on your device. The add-in loads a small AI model (~23 MB) from our own servers and runs it locally inside Outlook's browser environment. Your email content is never sent to our servers or to any third-party AI service for processing.
Once per day, the add-in sends your email address (and a timestamp) to a server-side endpoint hosted on app.foldersuggest.com. This lightweight call records that the add-in was used on that date. No email content, folder names, or any other account data are included in this request.
4. Data Storage and Retention
IndexedDB (folder cache): To speed up future suggestions, the add-in caches the following data locally in your browser's IndexedDB storage for up to 30 days:
- Folder names and IDs
- Numerical embedding vectors representing each folder's content
- Sender email addresses and sender domains extracted from recent emails in each folder
This cache remains entirely on your device and is never transmitted to our servers. It is automatically cleared when it expires (30 days), when you uninstall the add-in, or when you clear your browser storage.
localStorage (authentication tokens): The Microsoft Authentication Library (MSAL) stores OAuth tokens — including your account identifier and access credentials — in your browser's localStorage. This is standard browser-based OAuth behaviour and allows the add-in to stay signed in between sessions. These tokens contain no email content and are scoped to app.foldersuggest.com. Access tokens expire after approximately 60 minutes; refresh tokens are managed by Microsoft.
Usage records (server-side, Cloudflare KV): Your email address, the date you first used the add-in, the date you most recently used it, and a session count are stored in Cloudflare KV on our servers. These records are retained indefinitely (or until you request deletion) and are used solely to identify early users for free-plan grandfathering and to measure overall adoption. No email content is stored.
Waitlist emails (historical): Prior to the product's general availability, we collected email addresses from users who requested to be notified at launch. Those addresses were used for a single notification only. If you submitted your email during that period and would like it deleted, email us at hello@foldersuggest.com.
5. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), our legal basis for accessing your mailbox data is legitimate interests (Article 6(1)(f) GDPR): specifically, to provide the folder suggestion functionality you have explicitly chosen to use. We process the minimum data necessary for this purpose and do not use it for any other purpose.
Our legal basis for collecting your email address for usage analytics and free-plan eligibility is also legitimate interests (Article 6(1)(f) GDPR): to understand whether the add-in is being used and to identify early users who may be offered a free plan tier.
6. Microsoft Graph API and Authentication
The add-in uses Microsoft's OAuth 2.0 identity platform (Azure Active Directory) to authenticate you. During sign-in, Microsoft includes basic account information (email address, display name) in the standard identity token. We use this only to confirm authentication and do not store or transmit it. We explicitly request only the minimum Graph API permissions needed:
- Mail.Read — to read email subjects, senders, and body text, and to list your mail folders
- Mail.ReadWrite — to move emails to the selected folder
7. Data We Do Not Collect
- We do not collect, transmit, or store any email content on our servers
- We do not use cookies or any cross-session tracking
- We do not sell, rent, or share any data with third parties
- We do not build user profiles or use data for advertising
- We do not collect IP addresses, device identifiers, or any data beyond your email address and usage timestamps
8. Third-Party Services
The AI model (~23 MB) is served directly from our own Cloudflare Pages hosting (app.foldersuggest.com) and cached in your browser after the first load. No third-party AI service or model CDN is contacted during normal use. The model was originally sourced from Hugging Face under the Apache 2.0 licence but is bundled with and served entirely by our own infrastructure — your device does not contact Hugging Face.
The add-in communicates with Microsoft Graph (to read folder structure and move emails) and Microsoft Azure Active Directory (for authentication). These are covered by Microsoft's privacy statement.
The app is hosted on Cloudflare Pages, and usage records (email address + timestamps) are stored in Cloudflare KV. Cloudflare acts as a data sub-processor for this stored data. Cloudflare may also process standard web request metadata (IP address, user-agent) as part of its CDN and security services. See Cloudflare's privacy policy.
9. Your Rights (GDPR / CCPA)
Because we do not collect or store personal data on our servers, most data subject rights (access, rectification, erasure) are exercised directly through your Microsoft account. However, you have the following rights with respect to the add-in:
- Right to withdraw consent: Uninstall the add-in at any time via Outlook's add-in manager. This immediately revokes access.
- Right to delete local data: Clear your browser's IndexedDB storage to remove the local embedding cache.
- Right to revoke Graph permissions: Visit myapps.microsoft.com to revoke the add-in's access to your Microsoft account.
- Right to delete your usage record: Email hello@foldersuggest.com to request deletion of your server-side usage record. We will delete it within 30 days.
- Right to contact us: Email hello@foldersuggest.com with any data-related request. We will respond within 30 days.
10. Children's Privacy
This add-in is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect data from children. If you believe a child has used this add-in, please contact us and we will take appropriate steps.
11. Security
All communication between the add-in and Microsoft Graph is encrypted via HTTPS. The add-in is hosted on Cloudflare Pages with HTTPS enforced. Because we do not store email data on our servers, there is no server-side data breach risk for your email content.
12. Disclaimer and Limitation of Liability
This add-in is provided "as is" without warranty of any kind, express or implied. To the maximum extent permitted by applicable law, the developer shall not be liable for any indirect, incidental, or consequential damages arising from your use of the add-in, including but not limited to any loss of data or email misplacement. You use the add-in at your own discretion.
13. Changes to This Policy
We may update this policy from time to time to reflect changes in the add-in or applicable law. The "last updated" date at the top of this page will be updated accordingly. Continued use of the add-in after a policy change constitutes acceptance of the updated policy.
14. Contact
For any questions about this privacy policy or your data, please contact us at hello@foldersuggest.com. We aim to respond within 2 business days.